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MEMORANDUM FOR: Chief, Information Systems Sdcurity Group, OS 


er, bat : t &taff£, ODF 


SUBJECT: Draft Security Requirements for Automated 
Information Systems Located in Overseas 
Installetions (UV) 


l, Office of Sate irocessing personnel have reviewed 
the draft of security recuirements fer automated information 
systems located in overseas installations. Wa recognize the 
importance of prescribing solicy in this area and we recommend 
that the following sug¢ertions be incorporated in the next 
revision. The last paracragh of this memorandum contains a 
summary of the recommen‘tetions. (U) 


2. The requirement for semiconductor volatile memory 
(IV.D.1.b) may become cver-restrictive, e.g., it might 
affect the use of bubble memories in the future. (5) 


3. One of the princizal reasons for automating field 
atations is to make then pore efficient and to reduce the 
vulnerability of information especially if a station is over- 
run. Although the draft seecifies chat removable data stprage 
media shall be used (IV.it.l.c), the draft joes not address how 
data should be stored on the media. Consitering the possibility 
of large information bani in the fieli, stronger guidelines 
are needed as to what und how much lata should be kept in 
the field and under wheat cenditions. {8) 


For instance, should the data stored on Field media be 
encrypted? (8S) 


If a cassette or 2 tlhepoy disk were compromised, the 
problem of damage asseomwnt is not addressed. Since there 
is no requirement for rautaining volume data set catalogs, 


the Agency would not knoy what data were lost. {3} j 
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Perhaps the removaLility of storage media ought not 
be an absolute requirement for overseas computers in-as~much-as 
technology appears to be wcving in the direction of non- 
removability. If this restriction is removed, then procedures 
should be included to govern how non~removable media is to be 
handled (e.g., guarded, encrysted, destroyed, etc.). {(S) 


4. The requirement it. I1V.0.2.4 for system software to 
handle all interrupts in a Lnown and secure taanner implies 
that only provably secure «perating systems would be allowed. 
Such operating systems are ieing developed but are not. 
available now. The draft ces not aduress syatem software 
gertification or waiver procedures. (0) 


S. Paragraph IV.D.5.a.2 specifies that “only those 
terminals tesignated for tix security classification access 
Level being processe’l shill te logically connected..." The 
draft could easily specify that terminals not go designated 
be electrically disconnect» by means of a patch panel or other 
aimilar arrangement. ‘She y¢cification of “logically” implies 
that the system softwara wld control access and this is an 
unnecessary spillage risi. (5) 


6. The requirement for each data File to be gontrolied 
by a file password and indicators to Jeseribe to the system the 
type of access authorize’ {(IV.0.5.b.1) is anrealistic for the 
class of machine planned fxr the field. Since each dataset 
must reside on removable mriia and each storage disk, tape, 
ete., is to be marked, why wot specify that only those media 
marked at the appropriat: L:vel be installed on the systen. 
Or, why not require that aystem access he authenticated ~‘by 
pagsword and that there “e wchanisms restricting file access 
to authorised users? (3) 


7. In the followin; s2ragraph (IV.0.5.b.¢), access to 
the master data file is liaited to the ADP System Seciirity 
Officer; there should always be a backup for this function. 
Also, there is a need in sgac installations for backup of 
datasets that require autoastic linkage to the master data 
file. The password File snould be protectec by eneryption such 
that a system dump or systai spillage will not compromise this 
file. (8S) 


§. We believe chat ,assword precadures (IV.0.5.c) should 
apply to standalone word processiag teyvminals since this class 
of terminals can read an? write the same Jata sets as other 
ADP systems, and up *o the game classifieation levels. (U) 
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9. If the requirement. for file v.assworis is relaxed, 
then paragraph IV.5.35.0 would cave to be revised. (U) 


10. the requiremenc fcr audit tradls presented by ;ara- 
graph IV.9.6 may be beyows the capabilities of existing systen 
software. {(U) 


Ll. he section on chew Peccessivg (V.5) cegarding 
abnormal data processing svrtom operacion. should be rewritten 
to be more specific and ohowld concencrace on events that nave 
security implications . Fee> inatance, a reported spillage to 
a terminal or printer Sine invesciguted and would be a 

tip 


valid reason to stop t i A gunaway cape er a disk head 
orash shoald not cause fhe system to sé stogved. (3) 


12. The gectien on 
not recognige that the 
to use contractor perso 
field modification of sine 


ee a talnterance/Hodi fication may 

y Joes andi will aurchably continue 
For onesiie maintenance and 
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13. The certificacios «of the 15S) on the system BCE Were | 
modifications in section Vil.i.i.b reyuires technically expe 
people to be meaningful. aise thesa exoerts are in shert 
SUPP sly, even in ADP comucurits. Chis csequiresent could be 4 

ttleneck in software ese unless it is treated as a 
paper exercise. (U) 


14. ‘he key to emercaey proccdures, as mentioned 
before, is in limiting tie amount of lata stored in tre 
field, not trying te sanitui. or destcoy it during an 
emergency. The traft docs jot upecify that the ,rocedures 
be exercised so that hay ww: 


rover. and se ete personnel ars 


fully familiar with thas. (4h: Soascae & rejgulrement that the 
ADP Systems Security Office: oe Se ee for having ADP 
personnel read the procecjaten. () pe 


ox 


5. Equipment proc: 
in the draft. Will thers 
regarding er sent the i 


argunt Sterility is net addressed 
asks Pace! ar guicelines 
y¥ anigqua?e (8) 


16, In summary, the OFilee of tata Processing 
recommends: (8) 


a. Prescribe metho: af sturage of i 
removable storaga osn:iba. (Paragrs aA 33 


bh. Preseribe hae dae aa a3 ho what and how much data 
should be Ke, ia id P4eL and uncer what con- 


ditions. (PF ana. stacy 3) 
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SUBJECT: Oraft Security ®ayiiroments for Automate 
Information Syst#s3s Locate: in Oversuans 
Installations (<) 


ce; DDB/A 
C/BD 
DD/P 
C/ED 
Cc/SPDb 
SO/ODP 


Distribution: 
Original - Addressee 
1o~ C/MS/ODP 
~ 0/D/OoDP 
2 ~ ODP Registry 
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